b'September 1, 2000\nAudit Report No. 00-038\n\n\nAudit of the Information Technology\nConfiguration Management Program\n\x0cFederal Deposit Insurance Corporation                                                           Office of Audits\nWashington, D.C. 20434                                                              Office of Inspector General\n\n\n\n\n   DATE:                          September 1, 2000\n\n   TO:                            Donald C. Demitros, Director\n                                  Division of Information Resources Management\n\n\n   FROM:                          David H. Loewenstein\n                                  Assistant Inspector General\n\n   SUBJECT:                       Audit of the Information Technology Configuration Management\n                                  Program (Audit Report No. 00-038)\n\n   The Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC) Office of Inspector General (OIG) has\n   completed an audit of the Information Technology Configuration Management (CM) Program. We\n   initiated this audit to (1) evaluate the effectiveness and (2) assess the implementation of the FDIC\'s\n   CM program policies and procedures. However, during the audit survey, we found that the FDIC\xe2\x80\x99s\n   Division of Information Resources Management (DIRM) was in the process of developing a plan for\n   establishing a more formal CM program. The purpose of this report is to provide our\n   recommendations as to what DIRM should consider when developing the formal CM program. We\n   recognize that DIRM management has already taken many positive steps in initiating the CM study,\n   appears to have identified the critical issues in its CM efforts, and may independently develop\n   similar conclusions and recommendations. Our purpose in presenting these recommendations is to\n   emphasize what we feel are the salient features of an effective CM program. Once DIRM has\n   developed, approved, and implemented a formal CM program, we will initiate an audit of the FDIC\'s\n   implementation of the program.\n\n\n\n   BACKGROUND\n\n   CM is a critical element in the development of hardware and software because it is the\n   disciplined approach to controlling the inevitable changes that occur during a product\xe2\x80\x99s life\n   cycle. CM controls product changes by providing the policies, procedures, and tools needed to\n   preserve the product\xe2\x80\x99s history; ensuring that the product\'s components are uniquely identified;\n   and controlling and evaluating a product\'s changes during its life cycle.\n\n   Our audit focused on the CM related to the FDIC\'s software inventory. The Institute of\n   Electrical and Electronic Engineers\xe2\x80\x99 definition of software configuration management (SCM)\n   includes four essential elements that are needed to maintain a product\xe2\x80\x99s integrity. These\n   elements are:\n\n            (1) Configuration Identification. The items of a system, such as requirements\n                documents, specifications, design documents, source code, test suites, manuals,\n                project plans, schedules, test plans, and procedural documents that must be identified,\n                agreed upon, and established as the baseline from which changes will be measured.\n\x0c       (2) Configuration Control. This is the method by which software changes and releases\n           are controlled during the software life cycle. Any software changes and releases to\n           the baselines must be documented and controlled through change requests.\n\n       (3) Configuration Accounting. These are the CM activities that record and report the\n           status of configuration items.\n\n       (4) Configuration Audit. This is the process that verifies the completeness and\n           correctness of a product\'s software baseline. In addition, any software changes must\n           be verified for compliance with applicable standards and procedures.\n\nDuring the life of a product, there are usually a myriad of changes that lead to the final\nconfiguration of the product. For this reason, these four elements need to be effectively\ncontrolled, tracked, and accounted for by automated CM tools. The use of such tools is\nparticularly imperative when tracking the changes made during the software development\nprocess.\n\nIn recent years, the U.S. General Accounting Office (GAO) has repeatedly identified weaknesses\nin the CM of software in its reviews of federal agencies\' information security programs. In\nrecent correspondence to the Chairman of the House Subcommittee on Government\nManagement, Information and Technology, the GAO concluded that based on its interviews with\nofficials at 16 of the largest federal agencies, controls over changes to software for federal\ninformation systems as described in agency policies and procedures were inadequate. Because\nGAO identified government-wide weaknesses regarding software changes and related controls, it\nplans to recommend that the Office of Management and Budget (OMB) clarify guidance\npertaining to these issues in its next revision to Circular A-130, Management of Federal\nInformation Resources.\n\nPresently, several branches within DIRM are engaged in CM activities. However, the FDIC\ndoes not yet have a formal CM program. During the FDIC\xe2\x80\x99s Year 2000 remediation efforts, the\nCorporation recognized that information technology policies were needed in such areas as CM\nand software testing. The FDIC has initiated a project to identify and recommend policies,\nprocedures, and tools needed to support corporate software development efforts, including the\nestablishment of formal CM practices, the enhancement of testing procedures, and the associated\nperformance measurement activities.\n\nTo accomplish the FDIC\'s CM objectives, DIRM established the Configuration and Quality\nManagement (CQM) group and detailed staff to develop the policies and procedures needed to\nimplement a viable CM program. The project scope includes identifying and recommending the\npolicies and procedures needed to govern CM, software testing, performance measurement, and\nsoftware development. Presently, the staff is in the process of developing an action plan for\naccomplishing its project goals. The CQM staff expects to issue a report on its recommendations for\nimplementing CM strategies by December 2000.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of this audit were to evaluate the effectiveness of the FDIC\'s CM program policies\nand procedures and to assess the implementation of such policies and procedures.\n\n\n                                                 2\n\x0cTo address our objectives, we reviewed CM program policies and procedures for compliance with\nGAO and OMB standards and generally accepted CM practices. We also reviewed the FDIC\xe2\x80\x99s use\nof CM tools to determine whether these tools were used for all the FDIC software. In addition to\nreviewing the CM process, we interviewed and held status meetings with responsible DIRM\nofficials.\n\nThis audit was performed between March and July 2000 and conducted in accordance with generally\naccepted government auditing standards.\n\n\nRESULTS OF AUDIT\n\nThe FDIC has identified the need to improve its ability to control software changes through CM and\nhas already recognized many of the issues noted in this report. We believe that DIRM should ensure\nthat its CQM staff addresses the following issues as a more formal CM program is developed.\n\nThe FDIC needs to develop a centralized CM program that includes formal policies and procedures\nto control all software changes. Currently, administrative control over the development and\nmodification of software is decentralized, and several DIRM offices perform CM activities. Further,\nDIRM does not yet have documented policies and procedures to ensure the establishment and\nimplementation of (1) CM procedures for all the FDIC software changes, (2) controls over the\nlabeling and inventorying of the FDIC software, and (3) criteria for the selection and use of CM\ntools.\n\nAlso, the FDIC would benefit from having a focal point to (1) ensure that all software changes are\naccounted for, (2) determine the overall impact of software changes on other FDIC operations, and\n(3) assess the cost-effectiveness of proposed software changes. This centralized control is needed to\nprevent (1) unauthorized software changes, (2) compromise of security features, (3) incorrect\nchanges to software, and (4) noncompliance with GAO and OMB standards.\n\n\nFDIC NEEDS TO DEVELOP AND DOCUMENT A CENTRALIZED CONFIGURATION\nMANAGEMENT PROGRAM\n\nDIRM does not currently have a centralized CM program that is controlled by formal policies,\nprocedures, and specific roles and responsibilities. OMB Circular A-130, Management of Federal\nInformation Resources (A-130), states: \xe2\x80\x9cagencies shall plan in an integrated manner for managing\ninformation throughout its life cycle.\xe2\x80\x9d In addition, A-130 states: \xe2\x80\x9cagencies shall consider at each\nstage of the information life cycle, the effects of decisions and action on other stages of the life\ncycle.\xe2\x80\x9d It also states: " agencies shall record, preserve, and make accessible sufficient information to\nensure the management and accountability of agency programs, and to protect the legal and financial\nrights of the Federal Government.\xe2\x80\x9d The GAO\'s Federal Information System Controls Audit Manual\n(FISCAM) states an entity should have a structured approach for controlling, identifying, and\ndocumenting changes in requirements that occur during the life of software from creation,\ndevelopment, product release, customer delivery, customer use, through the maintenance phase.\nFISCAM also states that software should be labeled and inventoried in a way that diminishes the\nrisk that software will be misidentified or lost. The GAO\'s Standards for Internal Control in the\nFederal Government states: \xe2\x80\x9cInternal control systems and all transactions and other significant\n\n\n                                                   3\n\x0cevents need to be clearly documented, and the documentation should be readily available for\nexamination.\xe2\x80\x9d Also, the GAO Standards for Internal Control in the Federal Government states:\n\xe2\x80\x9cThe documentation should appear in management directives, administrative policies or operating\nmanuals and may be in paper or electronic form.\xe2\x80\x9d\n\nDuring our review of current CM policies and procedures, we identified the need for a\ncomprehensive CM program that documents the policies and procedures needed to ensure that (1)\nCM is initiated during the software development and modification process, (2) CM includes all the\nFDIC software, (3) the FDIC uses a standard method for labeling and inventorying all software, and\n(4) there is consistent selection and use of CM tools.\n\n\nDIRM Should Implement Configuration Management During the Software Development and\nModification Process. The current FDIC System Development Life Cycle (SDLC) Manual does\nnot provide instructions or references to CM. In addition, the DIRM application and system\ndevelopers we interviewed believe that they have no CM responsibilities during the software\ndevelopment and modification process. Therefore, we are concerned that the FDIC does not have\nadequate assurance that CM will occur during the software development and modification process.\nAs a result, there is limited control or accountability for software changes made during the\ndevelopment and modification process.\n\n\nDIRM Needs to Ensure All FDIC Software Is Controlled by the Configuration Management\nProcess. Presently, DIRM does not use the CM process to control all FDIC software changes. In\naddition, the FDIC does not yet have a focal point responsible for (1) ensuring that all FDIC\napplications are under CM or (2) implementing the procedures on the use of CM tools. The lack of a\nformal CM program limits the FDIC\'s assurance that only authorized programs and authorized\nmodifications are implemented. Without proper CM controls, security features may be\ncircumvented and processing irregularities or unauthorized code may go undetected.\n\n\nDIRM Needs to Standardize the Labeling and Inventorying of FDIC Software. Consistent\nlabeling and inventorying of software is a key feature needed to control the CM process. We found,\nhowever, that in some cases the FDIC uses the same software acronyms to identify different\nsoftware. In addition, although one CM tool had a documented inventory, the other CM tools in use\ndid not have inventories that identified the software that they controlled. The inconsistent labeling\nand inventorying of software may result in difficulties in identifying needed software in a timely\nmanner, or the selection of an incorrect version of software.\n\n\nDIRM Needs to Develop Policies and Procedures for the Consistent Selection and Use of\nConfiguration Management Tools. Presently, the DIRM application and system developers\nthat we interviewed stated that they use their professional judgement when selecting a CM tool\nfor software development and modification. In addition, we found that not all CM tools interface\nwith each other. Without policies and procedures, DIRM will not be assured that CM tools are\neffectively selected and used.\n\n\n\n\n                                                 4\n\x0cCONCLUSION\n\nDIRM is in the initial stages of developing the policies and procedures for a comprehensive CM\nplan. When it reaches fruition, the project should greatly add to the control and effectiveness of\nthe FDIC\'s software development process. During our review of the FDIC\'s configuration\nmanagement policies and procedures, we identified enhancements to CM that the FDIC should\nconsider when developing a formal CM program in the interest of ensuring the best possible\nprogram to control software changes during a product\'s life cycle.\n\n\nRECOMMENDATION\n\nThe Director, CQM should incorporate the following elements when developing the plan to\nimplement a formal CM program at the FDIC.\n\nThe FDIC should establish a centralized CM program for information technology that includes\ndocumented policies, procedures, and responsibilities to ensure that (1) CM includes the entire\nsoftware development and modification process, (2) all FDIC software is included in the CM\nprogram, (3) all FDIC software is subject to standardized labeling and inventorying process, (4) CM\ntools are consistently selected and used, and (5) the feasibility of integrating or consolidating the CM\ntools currently in use is explored.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn August 24, 2000, the Director, DIRM, provided a written response to the draft report that\nconcurred with the recommendation. These comments are included as appendix I. The\nCorporation\xe2\x80\x99s response to the draft report provides the elements necessary for management decisions\non the report\xe2\x80\x99s recommendation.\n\n\n\n\n                                                   5\n\x0c                                                                                                APPENDIX I\n                                         CORPORATION COMMENTS\n\n\n\nFederal Deposit Insurance Corporation\n3501 North Fairfax Drive. Arlington, VA 22226             Division of Information Resources Management\n\n\n\n                                                August 24, 2000\n\nTO:               David H. Loewenstein\n                  Assistant Inspector General\n\n\n\n\nFROM:             Donald C. Demitros\n                  Director, DIRM\n\nSUBJECT:          DIRM Management Response to the Draft OIG Report Entitled, \xe2\x80\x9cAudit of the\n                  Information Technology Configuration Management Program\xe2\x80\x9d\n\n\nThe Division of Information Resources Management (DIRM) has reviewed the subject draft\naudit report and generally agrees with the findings and recommendations.\n\nOne minor revision is requested. In the second paragraph of Page 4, the text should read\n\xe2\x80\x9c\xe2\x80\xa6Configuration and Quality Management (CQM) staff and detailed\xe2\x80\xa6\xe2\x80\x9d.\n\nThe OIG\xe2\x80\x99s recommendation along with DRMS\xe2\x80\x99s response is provided below:\n\nOIG Recommendation:\n\n         The Director, CQM should incorporate the following elements when developing the plan to\n         implement a formal CM program at the FDIC.\n\n         The FDIC should establish a centralized CM program for information technology that\n         includes documented policies, procedures, and responsibilities to ensure that(1) CM includes\n         the entire software development and modification process, (2) all FDIC software is included\n         in the program, (3) all FDIC software is subject to standardized labeling and inventorying\n         process, (4) CM tools are consistently selected and used, and (5) the feasibility of integrating\n         or consolidating the CM tools currently in use is explored.\n\nDIRM Response:\n\n         DIRM has many controls in process but we concur that no centralized CM process exists\n         which comprehensively covers all the controls mentioned in the OIG memo. The\n         recommendation from the CQM Staff to DIRM senior management will include a\n         comprehensive, long-term plan to implement a CM program that addresses these concerns.\n\n         CQM will also recommend a prioritized schedule for implementing such a program that will\n\n\n                                                      6\n\x0cfocus first on software version control, change control, and a rigorous testing methodology.\nAdditional elements of the program proposal will include recommendations for the\ndevelopment of thorough policies and procedures and the development, publication and\nimplementation of a defined methodology in a deliberate and disciplined fashion.\n\nDIRM will complete the formal process and methodology by December 31, 2000.\n\nIf you have any questions, please contact Rack Campbell, DIRM\xe2\x80\x99s Audit Liaison, at (703)\n516-1422.\n\n\ncc:    Vijay Deshpande, OICM\n       Larry Proctor, DIRM\n\n\n\n\n                                          7\n\x0c                                                                                                                                           APPENDIX II\nMANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its semiannual\nreports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are\nnecessary. First, the response must describe for each recommendation\n\n   !    the specific corrective actions already taken, if applicable;\n   !    corrective actions to be taken together with the expected completion dates for their implementation; and\n   !    documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any\ndisagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation confirming\ncompletion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The information\nfor management decisions is based on management\xe2\x80\x99s written response to our report.\n\n                                                                                               Documentation                       Management\n Rec.                                                                    Expected             That Will Confirm     Monetary       Decision: Yes\nNumber         Corrective Action: Taken or Planned/Status             Completion Date           Final Action        Benefits          or No\n            CQM staff will develop a comprehensive, long-term\n            plan to implement a CM program that addresses the                                                         Not\n    1                                                                    12/31/2000              Final CM Plan                          Yes\n            OIG\'s concerns. CQM staff will also recommend a                                                        Quantifiable\n            prioritized schedule for implementing the program.\n\n\n\n\n                                                                               8\n\x0c'